I've seen this with a few of the plugins, notably the blindsqli and eval plugins. What happens if you open the test URL manually in a browser? Does the browser take some time to return a result? When I've seen this message the web server is taking some time to return the request so to some extent it seems like expected behavior.
Zach On Thu, Jul 23, 2009 at 2:47 AM, Marthe Engebretsen < [email protected]> wrote: > Andrés, > > -----Original Message----- > From: Andres Riancho [mailto:[email protected]] > Sent: Wednesday, July 22, 2009 6:11 PM > To: Marthe Engebretsen > Cc: [email protected] > Subject: Re: [W3af-users] Blind SQL plugin - Too many retries > > Marthe, > > On Wed, Jul 22, 2009 at 12:23 PM, Marthe > Engebretsen<[email protected]> wrote: > > Andrés, > > > > -----Original Message----- > > From: Andres Riancho [mailto:[email protected]] > > Sent: Wednesday, July 22, 2009 5:05 PM > > To: Marthe Engebretsen > > Cc: [email protected] > > Subject: Re: [W3af-users] Blind SQL plugin - Too many retries > > > > Marthe, > > > > On Wed, Jul 22, 2009 at 11:51 AM, Marthe > > Engebretsen<[email protected]> wrote: > >> > >> > >> -----Original Message----- > >> From: Andres Riancho [mailto:[email protected]] > >> Sent: Monday, July 20, 2009 4:27 PM > >> To: Marthe Engebretsen > >> Cc: [email protected] > >> Subject: Re: [W3af-users] Blind SQL plugin - Too many retries > >> > >> Marthe, > >> > >> On Mon, Jul 20, 2009 at 11:22 AM, Marthe > >> Engebretsen<[email protected]> wrote: > >>> Andrés, > >>> > >>> Marthe, > >>> > >>> On Mon, Jul 20, 2009 at 10:20 AM, Marthe > >>> Engebretsen<[email protected]> wrote: > >>>> Dear list, > >>>> > >>>> I've been testing W3AF for some weeks now, as part of a large project > >>>> concerning web application security and web application vulnerability > >>>> scanning. W3AF is one of my absolute favorites of the tools tested, > but > >>>> recently I've got some problems when scanning my "known vulnerable > test > >>>> site" for SQL Injections. > >>>> > >>>> In order to check how the tool manage blind SQL injections my test > site has > >>>> been modified to not show database error messages (MySQL-database). > When the > >>>> blindSqli plugin is enabled it only returns:" Too many retries when > trying > >>>> to get: . URL.". I've tried to tune both blindSqli-plugin settings and > >>>> http-settings, but I still get the same result. > >>>> > >>>> Any ideas on what the problem is, and how to get the plugin to work > >>>> properly? > >>> > >>> Are you using some kind of IPS, that could be closing TCP connections > >>> based on the packet payloads? > >>> > >>> No, there are no IPS. The test server is only protected by IP > restrictions. > >> > >> Then I have no clue of what could be happening, I would need more > >> information, logs, etc. to be able to try to find what's happening. > >> Have you tried to use wireshark to see what's going bad at a TCP/IP > >> level? Usually these type of errors are because of connection errors > >> at that level. Maybe packets are being dropped? > >> > >> Another idea: maybe you could run w3af with the output.textFile plugin > >> with the verbose parameter set to true, and analyze that? > >> > >> --- > >> I've had a look in the verbose textFile and found some interesting > results, even though it's not related to the "too many retries"-problem. > >> > >> Why is this vulnerability just marked as "debug": > >> [ 07/21/09 09:38:39 - debug ] GET > http://testsite/index.php?p=movie&id=4 OR 29=29 returned HTTP code "200" > - id: 3728 > >> [ 07/21/09 09:38:39 - debug ] GET > http://testsite/index.php?p=movie&id=4 AND 29=30 returned HTTP code "200" > - id: 3729 > >> [ 07/21/09 09:38:39 - debug ] Comparing secondTrueResponse and > trueResponse. > >> [ 07/21/09 09:38:39 - debug ] Pages are equal, match rate: > 0.991228070175 > >> [ 07/21/09 09:38:39 - debug ] Comparing secondFalseResponse and > falseResponse. > >> [ 07/21/09 09:38:39 - debug ] Pages are equal, match rate: > 0.979166666667 > >> [ 07/21/09 09:38:39 - debug ] Blind SQL injection was found at: " > http://testsite/index.php";, using HTTP method GET. The injectable > parameter is: "id". This vulnerability was found in the requests with ids > 3728 and 3729. > >> > >> While this vulnerability is marked as "vulnerability": > >> [ 07/21/09 09:47:21 - debug ] GET http://testsite/index.php?comment=1or > >> BENCHMARK(2500000,MD5(1))&p=movie&id=5 returned HTTP code "200" - id: > 4268 > >> [ 07/21/09 09:47:21 - vulnerability ] Blind SQL injection was found at: > "http://testsite/index.php";, using HTTP method GET. The sent data was: > "comment=1+or+BENCHMARK%282500000%2CMD5%281%29%29&p=movie&id=5". The > modified parameter was "comment". This vulnerability was found in the > request with id 4268. > >> > >> Is there a good explanation for this, or is it a bug? > > > > I think that you should see the same line, but with a vulnerability > > tag some lines below. Please let me know if you don't find it. > > > > --- > > When grep-ing for "vulnerability" only 33 debug-entries are shown in > addition to the one mentioned which has a vulnerability-tag. > > And the scan finished successfully? > > --- > Yes, the scan finished successfully. > > > Cheers, > Marthe Engebretsen > > > > >> > >> > >>> > >>>> > >>>> > ------------------------------------------------------------------------------ > >>>> Enter the BlackBerry Developer Challenge > >>>> This is your chance to win up to $100,000 in prizes! For a limited > time, > >>>> vendors submitting new applications to BlackBerry App World(TM) will > have > >>>> the opportunity to enter the BlackBerry Developer Challenge. See full > prize > >>>> details at: http://p.sf.net/sfu/Challenge > >>>> _______________________________________________ > >>>> W3af-users mailing list > >>>> [email protected] > >>>> https://lists.sourceforge.net/lists/listinfo/w3af-users > >>>> > >>>> > >>> > >>> > >>> > >>> -- > >>> Andrés Riancho > >>> Founder, Bonsai - Information Security > >>> http://www.bonsai-sec.com/ > >>> http://w3af.sf.net/ > >>> > >> > >> > >> > >> -- > >> Andrés Riancho > >> Founder, Bonsai - Information Security > >> http://www.bonsai-sec.com/ > >> http://w3af.sf.net/ > >> > > > > > > > > -- > > Andrés Riancho > > Founder, Bonsai - Information Security > > http://www.bonsai-sec.com/ > > http://w3af.sf.net/ > > > > > > -- > Andrés Riancho > Founder, Bonsai - Information Security > http://www.bonsai-sec.com/ > http://w3af.sf.net/ > > > ------------------------------------------------------------------------------ > _______________________________________________ > W3af-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/w3af-users >
------------------------------------------------------------------------------
_______________________________________________ W3af-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/w3af-users
